How I found and removed a WordPress hack

How I found and removed a WordPress hack


Check the logsYesterday, a WordPress server that I look after for a friend had been broken into. Instead of trashing the site, the script-kiddy hooked the server into a spam bot-net, and proceeded to send thousands of emails from the host. In addition, the script-kiddy added in some extra ‘hidden’ content onto the server, and then got Google to scan for that content. In essence, the server was still serving `working’ but was also being used for other purposes.

One of the things that my first UNIX instructor, Harry Eleftheriou, showed me was the power of ‘pipes’. Pipelining commands together was THE way to use simple yet finely crafted programs to make life easier. Today, that came to the fore.

I wanted to find all successful requests (HTTP Response 200) from the logs. From that I wanted to extract the script names (the 7th field in the log entry) that were being executed, and find which scripts were being called most regularly. The command that I came up with looked like the following:

# grep " 200 " http_access.log | awk '{print $7}' | sort | uniq -c | sort -rn | head -7
 1063 /wp-includes/js/swfupload/general.php
  666 /wp-login.php
  184 /wp-admin/admin-ajax.php
  179 /favicon.ico
   84 /wp-includes/Text/stats.php
   78 /
   39 /robots.txt

That command quickly highlighted what scripts were being run. And a few of them didn’t look right; a quick look at those files told me that two of them were infected/fake files and could be removed. After running that on all the logfiles, I had found all the infected files. Now, off to install Tripwire



About us and this blog

We are a digital marketing company with a focus on helping our customers achieve great results across several key areas.

Request a free quote

We offer professional SEO services that help websites increase their organic search score drastically in order to compete for the highest rankings even when it comes to highly competitive keywords.

Subscribe to our newsletter!

This is a test of the mailchimp rss to email

Continue reading

Confessions of a department store Santa

Sometimes, opportunity doesn't knock. Sometimes it throws the door open and yells…
Continue reading

Unionize Your Variables – An Introduction to Advanced Data Types in C

Programming C without variables is like, well, programming C without variables. They…
Continue reading

Is IoT The Next Big Thing?

There's been a lot of discussion about Cloud, be it Hybrid or…
Continue reading
get your head out of your ass

Communication is key

As a customer-focussed IT professional, communication is key to ensuring a happy…
Continue reading

Looking for a photographer?

The website came across my feed recently. If you're in Australia…
Continue reading
Vote Flux

The dreaded phone call

Yesterday it happened. Not just once. Twice! I got the dreaded phone…
Continue reading
Vote Flux

A State of Flux

Three days ago, the United Kingdom voted to leave the European Union.…
Continue reading